Security+ Chapter 8, Part 2
Method of Incident Isolation: A machine is simply removed from production and replaced.
Device Removal. More common concept with virtual machines, that can be replaced without actually replacing the hardware.
Metadata records of modification, access, and creation times of certain files.
MAC Data
List the eight sources from which to collect evidence from the most volatile (likely to change) location to the least volatile location.
1. CPU, cache, and register contents 2. Routing tables, ARP cache, process tables, kernel stats 3. Live network connections and data flows 4. Memory - RAM 5. Temporary file system or swap space 6. Data on a hard disk 7. Remotely logged data 8. Data stored on archival media or backups
What are the nine steps of the Chain of Custody?
1. Record what was collected as evidence. 2. Record who collected it with date and time. 3. Description of evidence. 4. Put evidence in containers with a tag that has case number and information from step 2. 5. Record all hash values. 6. Securely transport to protected facility. 7. Obtain signature from secure facility. 8. Provide controls to prevent access to evidence. 9. Securely transport to court proceedings.
All persons who handled or had access to evidence. Shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time since the evidence was obtained.
Chain of Custody
What does the text mean by "The final cost of an incident is often decided by external communication?"
Communication with the press, consumers, investors, etc is often what decides the biggest impact of an incident. A trained public communicator should be used to soften the news to the outside world.
How do you determine a time offset?
Compare system data to an NTP server's time.
The release of information to an environment that is not trusted by one mean or another.
Data Breach
What is the next step that occurs after evidence of an incident begins to accumulate beyond a reasonable normal amount?
Escalation and Notification.
What three things about an incident need to be confirmed when an incident response team is notified of a potential incident?
Existence of the incident. Scope of it. Magnitude (impact) of it.
True or false: A single failed login attempt is not considered an incident.
False. It is considered an incident, but is usually not of consequence. More important is the identification of patterns and trends, such as 10,000 failed attempts on one system or failures on unrelated systems.
What is the objective of a first responder?
Find time-sensitive evidence. Search the desk, the Rolodex, the keyboard, the desktop storage, the cubicle area, disks, flash drives, USB drives, tapes, and other removable media. Request copies of logs as soon as possible.
What is the concept of ensuring that an incident does not continue to spread by the removal of infected machines from the rest of the network or a similar strategy?
Incident Isolation
A term used to describe the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system.
Incident Response
A group of people who prepares for and responds to any emergency incidents.
Incident Response Team
You have secured a system that was used to perform an attack and are currently debating on whether or not to shut down that system with management. What would be the negative effect of shutting down the system?
Information in RAM about the attack is lost.
In simplest terms, what is the mitigation strategy known as data minimization?
Not keeping any data that you don't need.
What is the number one method in successfully handling an incident?
Proper preparation to handle said incident.
Method of Incident Isolation: Machine may be allowed to run, but its connection to other machines is broken to prevent spread of an issue.
Quarantine
In this step of the incident response cycle, a post-mortem session should collect lessons learned and assign action items to correct weaknesses and to suggest ways to improve.
Step Five: Lessons Learned. See the graphic at the top of page 142.
In this step of the incident response cycle, the investigation is complete and documented. Steps are taken to return the systems and applications to operational status.
Step Four: Recover. See the graphic at the top of page 142.
In this step of the incident response cycle, organizations administer an incident-reporting process to make sure that potential security breaches are reported and resolved.
Step One: Discover and Report. See the graphic at the top of page 142.
In this step of the incident response cycle, a response team composed of network, system, and application specialists should investigate the incident in detail to determine the extent of the incident and devise a recovery plan.
Step Three: Investigate. See the graphic at the top of page 142.
In this step of the incident response cycle, specialists or a response team member review the incident report to confirm whether or not a security incident has occurred.
Step Two: Confirm. See the graphic at the top of page 142.
What are the three states of the data lifecycle?
Storage. Transit. Processing.
In simple terms, what is a "big data" analysis?
The analysis of large quantities of data (terabytes upon terabytes upon terabytes) in digital forensics.
Why would some situations require photographic evidence with old school Polaroid photos rather than digital photos?
The older photo methods are harder to tamper with.
What are the three risk factors to consider in the data lifecycle?
Time: Data spends most of its time in storage. Quantity: There is usually more data in storage than in transit. Access: How restrictive are the controls of data access on the system being considered?
What is the purpose of "Lessons Learned" or "Post-Mortems?"
To ensure that an enterprise is taking steps to prevent the incident that has already occurred from ever occurring again.
True or false: Most ISPs will protect logs that could be subpoenaed.
True.